OSSEC Implementation Guide


General Information

OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response. OSSEC runs on most operating systems, including Linux, MacOS, Solaris, HP-UX, AIX and Windows. This guide will provide a basic information regarding installation and configuration of OSSEC within your computing environment.

Note: In order to configure OSSEC properly, a syslog server must be configured and installed before 

 

Installing OSSEC server

1. Using web browser, or wget command and source address www.ossec.net/files/ossec-hids-2.4.tar.gz download complete source code and cheksum (http://www.ossec.net/files/ossec-hids-2.4.1_checksum.txt) that will check integrity of the OSSEC source.

 

2. Using command line, change to the directory where you saved the downloaded files and verify the checksums by using this command.
        

        # md5sum -c ossec-hids-1.4_checksum.txt
        ossec-hids-1.4.tar.gz: OK
        ossec-agent-win32-1.4.exe: OK

 

3. Because the OSSEC HIDS installer must compile the application from source code the first time it runs, a working build environment is required on your system.  For most operating systems of the Linux or BSD persuasion, a C compiler and supporting files is already be installed. If not, you must install gcc and development headers before proceeding.

   

4. Extract the .tar.gz file, change into the created directory, and then run the install script:

          # gunzip -c ossec-hids-1.3.tar.gz | tar -xf -
          # cd ossec-hids-1.3
          # ./install.sh

 

5. Choose installation language by typing en and hitting ENTER:

        ** For installation in English, choose [en].

   

6. Next you will see this on the monitor:

        (en/br/cn/de/es/fr/it/jp/pl/ru/sr/tr) [en]:
        OSSEC HIDS v1.4 Installation Script - http://www.ossec.net
        You are about to start the installation process of the OSSEC HIDS.
        You must have a C compiler pre-installed in your system.
        If you have any questions or comments, please send an e-mail
        to dcid@ossec.net (or daniel.cid@gmail.com).
        - System: Linux earth 2.6.20-16-generic
        - User: root
        - Host: earth
        -- Press ENTER to continue or Ctrl-C to abort. --

 ## Note: System, user, and hosts fields depend on your own configuration.

 

7. After pressing ENTER the system will ask what installation would you like to have.

1- What kind of installation do you want (server, agent, local or help)?
        - Server installation chosen.
2- Setting up the installation environment.
        - Choose where to install the OSSEC HIDS [/var/ossec]: /var/ossec
        - Installation will be made at /var/ossec

 

8. Configure alert notifications (this is what you will see on the screen):

        - Configuring the OSSEC HIDS.
        - Do you want e-mail notifi cation? (y/n) [y]: y
        - What’s your e-mail address? root@localhost  ## use your sfsu email
        - We found your SMTP server as: 127.0.0.1     ## do not use local IP

        - Do you want to use it? (y/n) [y]: y
        --— Using SMTP server: 127.0.0.1  ## do not use local IP

 

9. Configure active response. A tool that takes automated actions to prevent intrusion or reduce the extent of an intrusion.

  •  Active response allows you to execute a specific command based on the events received. For example, you can block an IP address or disable access for a specific user. More information at: http://www.ossec.net/en/manual.html#active-response
  • Do you want to enable active response? (y/n) [y]: y
  • Active response enabled.
  • By default, we can enable the host-deny and the firewall-drop responses. The fi rst one will add a host to the /etc/hosts.deny and the second one will block the host on iptables (if linux) or on
    ipfilter (if Solaris, FreeBSD or NetBSD).
  • They can be used to stop SSHD brute force scans, portscans and some other forms of attacks. You can also add them to block on snort events, for example.
  • Do you want to enable the firewall-drop response? (y/n) [y]: y
  • Firewall-drop enabled (local) for levels >= 6
  • Default white list for the active response:
      - 192.168.65.2
  • Do you want to add more IPs to the white list? (y/n)? [n]: n

   

10. With a server installation, the OSSEC HIDS can receive alerts through an encrypted channel (port 1514) or through syslog (port 514).

        - Do you want to enable remote syslog (port 514 udp)? (y/n) [y]: y
        - Remote syslog enabled.
        - Setting the configuration to analyze the following logs:
        -- /var/log/messages
        -- /var/log/auth.log
        -- /var/log/syslog
        -- /var/log/mail.info
        - If you want to monitor any other file, just change
        the ossec.conf and add a new localfile entry.
        Any questions about the configuration can be answered
        by visiting us online at http://www.ossec.net .
        --— Press ENTER to continue —--

 

11.After you press Enter, the OSSEC HIDS is compiled, installed, and configured with the options you specified. When the installation is complete, the installer script provides you with some final information.You can always change configuration of your OSSEC server in /etc/pf.conf file.

 

## Note: in order to start your server use this: # /opt/ossec/bin/ossec-control start

    
Installing agent on the Linux based machine:

 

1. Follow steps 1 through 6 from the server installation

2. When the system will ask you about installation type choose: agent

  •  What kind of installation do you want (server, agent, local or help)? agent

 - Agent(client) installation chosen.

  •   Setting up the installation environment.

       ( Choose where to install the OSSEC HIDS [/var/ossec]: /opt/ossec)

 - Installation will be made at /opt/ossec .

  •  Configuring the OSSEC HIDS.

 - What’s the IP Address of the OSSEC HIDS server?: 192.168.65.20

 - Adding Server IP 192.168.65.20

  •   Do you want to run the integrity check daemon? (y/n) [y]: y

 - Running syscheck (integrity check daemon).

  •   Do you want to run the rootkit detection engine? (y/n) [y]: y

 Running rootcheck (rootkit detection).

3. Enable active response.

       - - Do you want to enable active response? (y/n) [y]: y
        -- Setting the confi guration to analyze the following logs:
        -- /var/log/messages
        -- /var/log/authlog
        -- /var/log/secure
        -- /var/log/xferlog
        -- /var/log/maillog
        - If you want to monitor any other fi le, just change
        the ossec.conf and add a new localfi le entry.
        Any questions about the confi guration can be answered
        by visiting us online at http://www.ossec.net .
        --— Press ENTER to continue —--

4. After you press Enter, the OSSEC HIDS is compiled, installed, and confi gured with the options you specified.

[root@ossec ~]# /var/ossec/bin/ossec-control start

 

 

Adding agents to the server:

 

The communication between the server and the agents is secure (encrypted and authenticated). Because of that, for every “agent” that you want to install, you need to create an “authentication key” for it on the server. When the key is generated on the server, you need export it from there an import (or push) to the agent.

 

1.  Add the agent to the server ( run the “manage_agents” command, provide the IP Address of the agent and choose a name for it or username ).

(server)# /var/ossec/bin/manage_agents

****************************************
* OSSEC HIDS v0.8 Agent manager. *
* The following options are available: *
****************************************
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.
Choose your actions: A,E,R or Q: a

- Adding a new agent (use ‘q’ to return to main menu).
Please provide the following:
* A name for the new agent: linux1
* The IP Address for the new agent: 192.168.2.32

* An ID for the new agent[001]:
Agent information:
ID:001
Name:linux1
IP Address:192.168.2.32

Confirm adding it?(y/n): y
Added.

2. After agent is added, extract the authentication key from your server. In the “manage_agents”, choose the “E” option and provide the ID of the agent. The key to be used by the agent will be printed. Then, copy and paste it in the agent side.

(server)# /var/ossec/bin/manage_agents

****************************************
* OSSEC HIDS v0.8 Agent manager. *
* The following options are available: *
****************************************
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.
Choose your actions: A,E,R or Q: e

Available agents:
ID: 001, Name: linux1, IP: 192.168.2.32
ID: 002, Name: obsd1, IP: 192.168.2.10
Provide the ID of the agent you want to extract the key: 001

Agent key information for ‘001′ is:
CDAxIGxpbnX4MSAxOTIuMTY4LjAuMzIgOWM5MENlYzNXXXYYYZZZZZ==

** Press ENTER to continue

 

3. After a key is generated, copy it and paste it on the agent side. Run the same “manage_agents” command in the agent.

(agent)# /var/ossec/bin/manage_agents

****************************************
* OSSEC HIDS v0.8 Agent manager. *
* The following options are available: *
****************************************
(I)mport key for the server (I).
(Q)uit.
Choose your actions: I or Q: i

* Provide the Key generated from the server.
* The best approach is to cut and paste it.
*** OBS: Do not include spaces or new lines.

Paste it here: CDAxIGxpbnX4MSAxOTIuMTY4LjAuMzIgOWM5MENlYzNXXXYYYZZZZZ==

Agent information:
ID:001
Name:linux1
IP Address:192.168.2.32

Confirm adding it?(y/n): y

Added.
** Press ENTER to continue.

****************************************
* OSSEC HIDS v0.8 Agent manager. *
* The following options are available: *
****************************************
(I)mport key for the server (I).
(Q)uit.
Choose your actions: I or Q: q

manage_agents: Exiting ..

   

 

2. After that the agent installation is complete, you can start the OSSEC HIDS service by

 

running the following command:

 

      # /opt/ossec/bin/ossec-control start  

 

Installing agent on the Windows based machine:

 

1. Go to link below and download the OSSEC installer for Widows:

http://www.ossec.net/files/ossec-agent-win32-2.4.1.exe

2. Launch installer:

 

          

         

 

3. Accept the license.

 

  

 

4. Select components. ( in this case use agent)

 

 

5. After choosing folder location, in the Host Name field, type the IP address or hostname of your OSSEC HIDS server and then click Open. If this is your first time connecting to the server from this Windows host, you are asked to accept the server SSH identity. Launch the SSH client on your Windows host and connect to the OSSEC HIDS server. You must use SSH to connect to the OSSEC HIDS server, Extract the key for this agent, and then paste the key in the Authentication key field.Accept the server identity, log in to the server, and then execute the manage_agents utility.

 

6. Connect to the ossec server.

 

 

7. Run manage_agents command and option E

 

 

8. In this case, the host name is mercury, which has ID 002. Enter 002, select the key information, and copy it to the clipboard.

 

9. Paste the key and click OK

 

 

10. Configure the import (The installer asks if you want to start OSSEC HIDS; click OK)

 

 
 

11. The Windows agent is now installed and running. You can confirm that   the agent is connected to the server, by looking at the logs for the Windows agent.